We currently have 2 sites connected via a PIX-to-Pix VPN. We are about to add a concentrator at one site which will provide access to all networks at both sites for remote clients.
It has been my policy in the past to run all traffic to a site through one firewall to centralize/simplify security administration as much as possible. To follow through on that, I believe that the concentrator's internal interface should be installed on a DMZ, most likely as the only device on that DMZ. We are working with a consultant who believes that the concentrator should be attached directly to our internal network, just like in the picture in the documentation that I found in the 3000 manual. He has stated that this is where Cisco says that it should be. Other than that picture, I have found nothing to back up either him or me. Realizing that I have not even attempted to work out the rest of the config yet, can anyone offer opinions on which way is the best way to do this or suggestions on where I might find more information?
Hi there. I have installed a lot of concentrators for customers in the past, and by way of a surprise, there is no 'standard' way to deploy the device. What is comes down to really is your own security policy.
However, the majority of customers have the external interface of the 3000 on a DMZ of a firewall and then have the internal interface directly on the internal LAN. This is quite a good balance of setup time vs security. If the company tends more toward the paranoid end of the security scale, then they will have both interfaces each on their own DMZ's.
The extra work necessary on the firewall for this deployment can be prohibitive, but also can be essential especially if you are giving access to third parties that require strict access control.
Those companies that tend more toward the 'easy life' end of the security scale have the 3000 deployed in paralell to the firewall, i.e. the external interface has a direct connection on the internet, and the inside is directly on the inside. This sounds a bit insecure to some, but is perfectly valid if the external interface is secured correctly. Also, this deployment still allows access into the network in the event of the firewall dying.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :